cleancloud-io
diff --git a/‎README.fr.md‎
Lines changed: 5 additions & 4 deletions b/‎README.fr.md‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎README.md‎
Lines changed: 5 additions & 4 deletions b/‎README.md‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎cleancloud.yaml‎
Lines changed: 4 additions & 0 deletions b/‎cleancloud.yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎cleancloud/doctor/aws.py‎
Lines changed: 49 additions & 0 deletions b/‎cleancloud/doctor/aws.py‎
Lines changed: 49 additions & 0 deletions
@@ -194,7 +194,7 @@ Pas encore de compte cloud ? `cleancloud demo` affiche un exemple de sortie sans
 - **Détection du gaspillage IA/ML sur les 3 clouds :** endpoints SageMaker et notebooks, clusters AML Compute et instances ML, endpoints Vertex AI et instances Workbench — facturés 500–23 000 $/mois par ressource en silence. Ressources GPU flaggées risque HIGH. Les outils natifs montrent la facture — CleanCloud indique quoi supprimer. Opt-in via `--category ai`
 - **Gouvernance policy-as-code :** `cleancloud.yaml` pour la configuration par règle, les exceptions avec dates d'expiration, les seuils de coût et de confiance, les exclusions par tag — versionné aux côtés de votre infrastructure. Chaque exception est une approbation auditée dans git.
 - **Application de politique (opt-in) :** `--fail-on-confidence HIGH` ou `--fail-on-cost 500` — appliquer des seuils de gaspillage en CI/CD sur un planning, géré par les équipes platform ou FinOps
-- **39 règles de détection sélectives et haut signal :** volumes orphelins, bases de données inactives, instances arrêtées, registres inutilisés, et plus — conçues pour éviter les faux positifs en environnements IaC, chacune avec une estimation de coût déterministe
+- **40 règles de détection sélectives et haut signal :** volumes orphelins, bases de données inactives, instances arrêtées, registres inutilisés, et plus — conçues pour éviter les faux positifs en environnements IaC, chacune avec une estimation de coût déterministe
 - **Scan multi-comptes (AWS) :** scannez des AWS Organizations entières en une exécution — fichier de config, IDs inline, ou auto-découverte via `--org`
 - **Scan multi-abonnements (Azure) :** scannez tous les abonnements Azure en parallèle — auto-découverte via Management Group, détail des coûts par abonnement inclus
 - **Scan multi-projets (GCP) :** scannez tous les projets GCP accessibles en parallèle — auto-découverte via Application Default Credentials, détail des coûts par projet inclus
@@ -274,6 +274,7 @@ L'infrastructure IA/ML inactive est la source de gaspillage cloud invisible à l
 | Bedrock Provisioned Throughput | 600 – 7 300+ $ / MU / mois |
 | Endpoint SageMaker (GPU) | 500 – 23 000 $ / mois |
 | Instance Notebook SageMaker (GPU) | 500 – 23 000+ $ / mois |
+| Studio Apps SageMaker (KernelGateway/JupyterLab/CodeEditor) | 42 – 1 600+ $ / mois |
 | Cluster AML Compute Azure (GPU) | 600 – 15 000 $ / mois |
 | Instance de calcul Azure ML (GPU) | 600 – 15 000+ $ / mois |
 | Déploiement Azure OpenAI Provisionné (PTU) | 1 460+ $ / PTU / mois |
@@ -283,7 +284,7 @@ L'infrastructure IA/ML inactive est la source de gaspillage cloud invisible à l
 CleanCloud détecte les endpoints à zéro invocation / zéro prédiction et les instances de notebook inactives sur les 3 clouds et les signale risque HIGH. Les outils natifs montrent la facture — ils ne vous disent pas *quel endpoint* supprimer.
 
 ```bash
-cleancloud scan --provider aws --category ai          # PTUs Bedrock + endpoints + notebooks SageMaker + EC2 GPU
+cleancloud scan --provider aws --category ai          # PTUs Bedrock + endpoints + notebooks + Studio apps SageMaker + EC2 GPU
 cleancloud scan --provider azure --category ai        # clusters AML + instances ML + PTUs OpenAI
 cleancloud scan --provider gcp --category ai          # endpoints Vertex AI + Workbench
 cleancloud scan --provider aws --category all         # hygiène + IA/ML ensemble
@@ -523,7 +524,7 @@ Oui. CleanCloud n'a besoin d'accès réseau qu'aux endpoints API de votre cloud
 
 ## Ce que CleanCloud détecte
 
-35 règles pour AWS, Azure et GCP — conservatives, haut signal, conçues pour éviter les faux positifs en environnements IaC.
+40 règles pour AWS, Azure et GCP — conservatives, haut signal, conçues pour éviter les faux positifs en environnements IaC.
 
 **AWS :**
 - Compute : instances arrêtées 30+ jours (charges EBS continuent)
@@ -532,7 +533,7 @@ Oui. CleanCloud n'a besoin d'accès réseau qu'aux endpoints API de votre cloud
 - Plateforme : instances RDS inactives (HIGH)
 - Observabilité : logs CloudWatch à rétention infinie
 - Gouvernance : ressources sans tags, security groups inutilisés
-- IA/ML *(opt-in : `--category ai`)* : Bedrock Provisioned Throughput (Model Units) inactifs avec zéro invocations depuis 7+ jours — facturés 600–7 300+$/MU/mois quel que soit le trafic ; endpoints SageMaker inactifs avec zéro invocations depuis 14+ jours — endpoints GPU flaggés risque HIGH ($500–$23K/mois) ; instances Notebook SageMaker sans activité depuis 14+ jours — notebooks GPU flaggés risque HIGH ($500–$23K+/mois)
+- IA/ML *(opt-in : `--category ai`)* : Bedrock Provisioned Throughput (Model Units) inactifs avec zéro invocations depuis 7+ jours — facturés 600–7 300+$/MU/mois quel que soit le trafic ; endpoints SageMaker inactifs avec zéro invocations depuis 14+ jours — endpoints GPU flaggés risque HIGH ($500–$23K/mois) ; instances Notebook SageMaker sans activité depuis 14+ jours — notebooks GPU flaggés risque HIGH ($500–$23K+/mois) ; Studio Apps SageMaker (KernelGateway/JupyterLab/CodeEditor) sans activité utilisateur depuis 7+ jours — apps GPU flaggées risque HIGH ($42–$1 600+/mois)
 
 **Azure :**
 - Compute : VMs arrêtées (non désallouées) (HIGH)
 
@@ -194,7 +194,7 @@ No cloud account yet? `cleancloud demo` shows sample output without any credenti
 - **AI/ML waste detection across all 3 clouds:** idle SageMaker endpoints and notebooks, AML compute clusters and instances, Vertex AI endpoints and Workbench instances — silently billing $500–$23K/month per resource. GPU-backed resources flagged HIGH risk. Native cost tools don't surface these — CleanCloud does. Opt-in via `--category ai`
 - **Policy-as-code governance:** `cleancloud.yaml` for per-rule config, exceptions with expiry dates, cost and confidence thresholds, tag-based exclusions — version-controlled alongside your infrastructure. Every exception is a git-reviewable approval.
 - **Governance enforcement (opt-in):** `--fail-on-confidence HIGH` or `--fail-on-cost 500` — enforce waste thresholds in CI/CD on a schedule, owned by platform or FinOps teams
-- **39 curated, high-signal detection rules:** orphaned volumes, idle databases, stopped instances, unused registries, and more — designed to avoid false positives in IaC environments, each with a deterministic cost estimate
+- **40 curated, high-signal detection rules:** orphaned volumes, idle databases, stopped instances, unused registries, and more — designed to avoid false positives in IaC environments, each with a deterministic cost estimate
 - **Multi-account scanning (AWS):** scan entire AWS Organizations in one run — config file, inline IDs, or auto-discovery via `--org`
 - **Multi-subscription scanning (Azure):** scan all Azure subscriptions in parallel — auto-discovery via Management Group, per-subscription cost breakdown included
 - **Multi-project scanning (GCP):** scan all accessible GCP projects in parallel — auto-discovery via Application Default Credentials, per-project cost breakdown included
@@ -274,6 +274,7 @@ Idle AI/ML infrastructure is the fastest-growing source of invisible cloud spend
 | Bedrock Provisioned Throughput | $600 – $7,300+ / MU / month |
 | SageMaker endpoint (GPU) | $500 – $23,000 / month |
 | SageMaker Notebook Instance (GPU) | $500 – $23,000+ / month |
+| SageMaker Studio Apps (KernelGateway/JupyterLab/CodeEditor) | $42 – $1,600+ / month |
 | Azure AML compute cluster (GPU) | $600 – $15,000 / month |
 | Azure ML Compute Instance (GPU) | $600 – $15,000+ / month |
 | Azure OpenAI Provisioned Deployment (PTU) | $1,460+ / PTU / month |
@@ -283,7 +284,7 @@ Idle AI/ML infrastructure is the fastest-growing source of invisible cloud spend
 CleanCloud detects zero-invocation / zero-prediction endpoints and idle notebook instances across all three clouds and flags them HIGH risk. Native cost tools show the bill — they don't tell you *which endpoint* to delete.
 
 ```bash
-cleancloud scan --provider aws --category ai          # Bedrock PTUs + SageMaker endpoints + notebooks + idle GPU EC2
+cleancloud scan --provider aws --category ai          # Bedrock PTUs + SageMaker endpoints + notebooks + Studio apps + idle GPU EC2
 cleancloud scan --provider azure --category ai        # AML compute clusters + ML instances + OpenAI PTUs
 cleancloud scan --provider gcp --category ai          # Vertex AI endpoints + Workbench
 cleancloud scan --provider aws --category all         # hygiene + AI/ML together
@@ -523,7 +524,7 @@ Yes. CleanCloud only needs network access to your cloud provider's API endpoints
 
 ## What CleanCloud Detects
 
-35 rules across AWS, Azure, and GCP — conservative, high-signal, designed to avoid false positives in IaC environments.
+40 rules across AWS, Azure, and GCP — conservative, high-signal, designed to avoid false positives in IaC environments.
 
 **AWS:**
 - Compute: stopped instances 30+ days (EBS charges continue)
@@ -532,7 +533,7 @@ Yes. CleanCloud only needs network access to your cloud provider's API endpoints
 - Platform: idle RDS instances (HIGH)
 - Observability: infinite retention CloudWatch Logs
 - Governance: untagged resources, unused security groups
-- AI/ML *(opt-in: `--category ai`)*: idle Bedrock Provisioned Throughput (Model Units) with zero invocations 7+ days — bills $600–$7,300+/MU/month regardless of traffic; idle SageMaker endpoints with zero invocations 14+ days — GPU-backed endpoints flagged HIGH risk ($500–$23K/month); idle Notebook Instances with no activity 14+ days — GPU-backed notebooks flagged HIGH risk ($500–$23K+/month)
+- AI/ML *(opt-in: `--category ai`)*: idle Bedrock Provisioned Throughput (Model Units) with zero invocations 7+ days — bills $600–$7,300+/MU/month regardless of traffic; idle SageMaker endpoints with zero invocations 14+ days — GPU-backed endpoints flagged HIGH risk ($500–$23K/month); idle Notebook Instances with no activity 14+ days — GPU-backed notebooks flagged HIGH risk ($500–$23K+/month); idle Studio Apps (KernelGateway/JupyterLab/CodeEditor) with no user activity 7+ days — GPU-backed apps flagged HIGH risk ($42–$1,600+/month)
 
 **Azure:**
 - Compute: stopped (not deallocated) VMs (HIGH)
 
@@ -92,6 +92,10 @@ rules:
   #   params:
   #     idle_days: 14           # default: 7 (days of zero invocations before flagging)
 
+  # aws.sagemaker.studio_app.idle:
+  #   params:
+  #     idle_days: 14           # default: 7 (days of no user activity before flagging)
+
   # azure.openai.provisioned_deployment.idle:
   #   params:
   #     idle_days: 14           # default: 7 (days of zero requests before flagging)
 
@@ -688,6 +688,55 @@ def run_aws_ai_doctor(profile: Optional[str], region: Optional[str] = None) -> N
         permissions_failed.append(("sagemaker:DescribeNotebookInstance", str(e)))
         warn(f"sagemaker:DescribeNotebookInstance - {e}")
 
+    # --- sagemaker:ListApps (aws.sagemaker.studio_app.idle) ---
+    try:
+        sagemaker.list_apps(MaxResults=1)
+        permissions_tested.append("sagemaker:ListApps")
+        success("sagemaker:ListApps")
+    except Exception as e:
+        permissions_failed.append(("sagemaker:ListApps", str(e)))
+        warn(f"sagemaker:ListApps - {e}")
+
+    try:
+        # Paginate through all apps to find the first qualifying one — checking only
+        # the first page can leave describe_app untested in accounts with many apps.
+        _target_app = None
+        _paginator = sagemaker.get_paginator("list_apps")
+        for _page in _paginator.paginate(PaginationConfig={"PageSize": 20}):
+            for _a in _page.get("Apps", []):
+                if _a.get("Status") == "InService" and _a.get("AppType") in (
+                    "KernelGateway",
+                    "JupyterLab",
+                    "CodeEditor",
+                ):
+                    _target_app = _a
+                    break
+            if _target_app:
+                break
+
+        if _target_app:
+            describe_kwargs = {
+                "DomainId": _target_app["DomainId"],
+                "AppType": _target_app["AppType"],
+                "AppName": _target_app["AppName"],
+            }
+            if _target_app.get("SpaceName"):
+                describe_kwargs["SpaceName"] = _target_app["SpaceName"]
+            elif _target_app.get("UserProfileName"):
+                describe_kwargs["UserProfileName"] = _target_app["UserProfileName"]
+            sagemaker.describe_app(**describe_kwargs)
+            permissions_tested.append("sagemaker:DescribeApp")
+            success("sagemaker:DescribeApp")
+        else:
+            # No qualifying InService app exists in this account/region — describe_app
+            # cannot be exercised, so the permission remains untested.
+            info(
+                "sagemaker:DescribeApp - not tested (no InService KernelGateway/JupyterLab/CodeEditor app found to probe)"
+            )
+    except Exception as e:
+        permissions_failed.append(("sagemaker:DescribeApp", str(e)))
+        warn(f"sagemaker:DescribeApp - {e}")
+
     try:
         cloudwatch = session.client("cloudwatch", region_name=region)
         now = datetime.now(timezone.utc)